[Tfug] Security-related question
Harry McGregor
micros at osef.org
Tue Feb 22 08:43:21 MST 2011
Hi,
Standard tools for this would be tcpdump and wireshark. Do full
packet/frame captures with TCPdump, and load the pcap file into
wireshark, you can filter based on the MAC address of the VM. You can
also use wireshark directly to do the capture. Most of the time the
machines I am doing the capture on are remote, and tcpdump is simpler
for that.
I would use a bridged connection instead of NAT, so that the machine is
native on your local network, but tcpdump can do either with ease.
Harry
On 2/22/11 8:22 AM, Jim March wrote:
> Folks,
>
> I'm trying to figure out what a particular Windows piece of malware does.
>
> To that end I built a brand new WinXP virtual machine via Virtualbox
> (Linux host of course) and then infected the virtual machine :).
>
> In Ubuntu (Gnome) I usually run the System Monitor toolbar widget set
> to display CPU, memory and network traffic. In the latter I can see
> network traffic happening that I can't explain as being Linux-related,
> so it has to be the virtual machine (which has Internet connectivity
> via a NAT router off of the Linux host...in other words, guest OS
> traffic will be visible in the host Linux system.
>
> I need to know first how I can prove that it's the Windows XP guest OS
> that's doing the traffic, or which other processes are doing which
> traffic, and then if possible log ALL of that traffic
> (preferably using Linux tools) for a brief time period to a file for
> analysis.
>
> Any help appreciated :).
>
> Jim March
>
>
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://tfug.org/pipermail/tfug_tfug.org/attachments/20110222/60a3468d/attachment-0002.html>
More information about the tfug
mailing list